Wired on Friday: Internet weather, they call it. It's the tiny variations in speed online - a few hundreds of a microsecond here, a few extra route jumps there. Like normal weather, most of the time, it's just there for conversation. What's up with the Net today? Is the Net slow at your office?
On Friday, January 24th, between the time I left for a evening meal, and the time I returned, the Internet weather got very bad indeed. Hurricane level: Familiar landmarks like Yahoo and Google disappeared behind "host not responding" messages. Nineteen in 20 data packets sent were lost at sea. Australia was cut off from the rest of the world; thousands in the US could no longer see Britain. What email that trickled into my mailbox that evening was frantic: network system administrators - sysadmins - from across the world chattering on their internal mailing lists, reporting a universal slowdown in the Net. Connections were filling with incoherent traffic; transatlantic pipes were filling up, so that legitimate Internet traffic could not pass.
Everyone quickly guessed what it the problem was. It was a worm: a self-replicating program designed to spread across computers on the Net like a speeded-up computer virus. All over the world, engineers fought to find out the source of the infection, isolate it, and free the rest of the Net.
By the time they spotted the worm's effects, it was already too late. Sapphire had not spread in the time it took for my dinner date. It had spread faster. Within 10 minutes of the worm's release, it had spread to more than 90 per cent of vulnerable machines: more than 75,000 machines worldwide. There simply would not have been time to raise the alarm before the Net had seized up.
The Sapphire worm, in this regard, was scarily reminiscent to a theoretical Net infection, described by Nicholas Weaver at Berkeley University in 2001. Weaver worked out a worst-case scenario for the Net: a worm that was smart enough and virulent enough to infect millions of hosts in under quarter of an hour. Weaver called his monster a Warhol Worm - infamous for 15 minutes.
Sapphire was not a Warhol worm: it infected far fewer hosts, and apparently did not use the techniques that Weaver describes in his paper. It was a one-trick pony. It could only attack a particular Microsoft Windows configuration. The bug it exploited was fixed by Microsoft last July: to be vulnerable, owners must have failed to install this fix, and then lax enough again to miss another fix released by the company this January. Less than 1 per cent of Microsoft's army of customers, a tiny fraction of the online universe was successfully breached.
But even that small crowd, acting in zombie concert, managed to gum up the Net for everyone else. What brought the Net down was not some concerted and deliberate action by the worm's infected hosts, but the worm's pattern of reproduction itself. Sapphire spread itself by sending a single packet (containing its entire code - its DNA) to vulnerable machines.
Since Sapphire was so small and simple - just 376 bytes long - it couldn't tell which machines were vulnerable in advance, so it chose them at random. Each infected PC sought to infect as many other machines as possible, as quickly as possible: repeatedly sending out the same packets as fast as it could. It's a crude survival ploy, but effective: like parasites laying eggs in every crevasse they can find, host animal or not.
Sapphire was successful, all right: too successful. At the end of its 10 minutes of fame, tens of thousands of machines were sending out those packets as fast and as hard as they could.
The Net is not built for such heavy levels of continuous traffic. Data pipes all over the world maxxed out, carrying nothing but the spreading worm. Normal traffic failed to get through: eventually, as pipes were shut down, not even the worm's packets got through. Internet and worm alike were buried under the eggcases of its own fertility.
Within a few hours, the mess was under some control. Sysadmins threw up filters that targeting the worm's monotonous output. Individual infected computers were either shut down by their owners, or quarantined; isolated from the Net by upstream ISPs until their feverish ranting could be halted. It was a day or two before the traffic was down to normal levels. Even now there are sure to be a few Sapphire-infected PCs, desperately searching for the last few remaining uninfected, unimmunised hosts.
And after the carnage, the reckoning. By any account, millions of dollars were lost on that Friday. ATM machines, unable to call home, seized up; millions of emails were delayed or lost; South Korea, the most wired nation in the world, was cut off from the rest of the world, its Internet pipes clogged beyond aid. Whose responsibility was the worm? Who should pay for the chaos it caused?
Worms like Sapphire do not write themselves. For now, it's almost impossible to catch the creator or creators of a virus or worm, although forensic computing techniques are improving. It's probably safe to say that it was a bunch of kids, writing and deploying viral code for the challenge, perhaps unaware of the damage it might cause, perhaps not.
If the creators are too vague to bear the responsibility, then who? Microsoft, for writing software that proved so vulnerable? Civic groups in South Korea have considered taking a class action, suing the company for damages. And within minutes of the first analysis of the attack, sysadmins were taking time off their valiant defence to take sarcastic sideswipes at Microsoft.
To be fair to the software giant, every piece of software has bugs. And as competitive a company as Microsoft has to balance the demands of its customers (who will pay for new features) with security requirements (which, Microsoft claims, few companies will pay extra for). Businesses like their software cheap, and don't worry too much about the security. Microsoft never made any promises about liability or security.
For now, viruses and worms are no-one's responsibility - except for those who tidy up the messes afterwards, and who, incidentally, make a tidy living themselves from such work. They call it the Internet weather. Like the real weather, it remains a conversation piece. No matter how damaging it may be, no-one quite knows what else to do.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)